Skip to content

CVE-2026-59890 (Medium) detected in setuptools-82.0.1-py3-none-any.whl #109

Description

@mend-for-github-com

CVE-2026-59890 - Medium Severity Vulnerability

Vulnerable Library - setuptools-82.0.1-py3-none-any.whl

Most extensible Python build backend with support for C/C++ extension modules

Library home page: https://files.pythonhosted.org/packages/9d/76/f789f7a86709c6b087c5a2f52f911838cad707cc613162401badc665acfe/setuptools-82.0.1-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/spotfire-python

Path to vulnerable library: /tmp/ws-ua_20260506063530_RVRPSW/python_WSYGMI/202605060635311/env/lib/python3.10/site-packages/setuptools-82.0.1.dist-info

Dependency Hierarchy:

  • setuptools-82.0.1-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.

Publish Date: 2026-07-08

URL: CVE-2026-59890

CVSS 4 Score Details (6.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: N/A
    • Scope: N/A
  • Impact Metrics:
    • Confidentiality Impact: N/A
    • Integrity Impact: N/A
    • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h35f-9h28-mq5c

Release Date: 2026-07-08

Fix Resolution: 83.0.0


  • Check this box to open an automated fix PR

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions